A new cyberespionage campaign from China's APT15.
By Jason Cole, CyberWire staff writer.
Jun 21, 2023

APT15 is running a cyberespionage campaign against foreign ministries and other diplomatic targets.

A new cyberespionage campaign from China's APT15.

The Threat Hunter Team at Symantec, part of Broadcom, released a new report detailing a recent campaign against various ministries of foreign affairs across the Americas by the China-backed advanced persistent threat (APT) group called the Flea (also known as APT15, Nickel, Nylon Typhoon, BackdoorDiplomacy, and Ke3chang).

The Flea APT is hopping between governments with a new backdoor.

In its report the threat hunter team described a new backdoor, “Backdoor.Graphican,” a third-generation backdoor derived from the previously used Ketrician and BS2005. “Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure,” the report finds. Symantec also drew similarities between Graphican and Fancy Bear’s (aka APT28, Sofacy, Strontium, SwallowTail) Graphite malware, which also uses Microsoft Graph API and OneDrive as a command and control server. Though their techniques may be similar, this doesn’t necessarily mean they are collaborating, “Once a technique is used by one threat actor, we often see other groups follow suit, so it will be interesting to see if this technique is something we see being adopted more widely by other APT groups and cyber criminals.” The Flea is still using Ketrician (Backdoor.Graphican’s predecessor) and looks to be, not only maintaining it, but updating it. Additionally, the group has been observed using living-off-the-land techniques to decrease its detectability while on a victim’s network. 

Background of The Flea.

“The goal of the group does seem to be to gain persistent access to the networks of victims of interest for the purposes of intelligence gathering. Its targets in this campaign, of ministries of foreign affairs, also point to a likely geo-political motive behind the campaign,” the report reads. The group has been active since 2004 and seems to attack organizations which can provide intelligence like government organizations, diplomatic entities, and non-governmental organizations (NGOs). Previously, Microsoft had seized 42 domains associated with the group’s malicious activities. Symantec writes, “Flea is believed to be a large and well-resourced group, and it appears that exposure of its activity, and even takedowns such as that detailed by Microsoft, have failed to have a significant impact when it comes to stopping the group’s activity.” Though The Flea’s main attack vector is through email, it should be noted that they have also been observed to use public-facing applications and VPNs to infect a victim’s systems.

Chinese threat groups are currently unusually active (and over-represented in cyberattacks).

Trellix has independently concluded, in its June 2023 Threat Report, that Chinese groups are leading other countries' in the volume of their cyberespionage activity. "APT groups linked to China, including Mustang Panda and UNC4191, are the most active in targeting nation-states, generating 79% of all activity detected." North Korea, Russia, Iran, and Pakistan are the distant also-rans. 

(Added, 9:15 PM ET, June 21st, 2023. Several industry experts weighed in on the implications of APT15's recent activity. Sean McNee, VP, Research and Data at DomainTools, was struck by the threat actor's sophistication. “Creating malware is a sophisticated endeavor, as software of this nature needs to be installed, establish persistence, evade detection, and execute the attacker’s commands, such as exfiltrating documents," he wrote. "Building software which meets all of this criteria requires a notable investment in resources, so most groups will reuse components which are working well. It is not that dissimilar to other software development projects, where new features are added to an existing codebase. It is this ‘history’ of code reuse which allows security researchers to track which threat actors are related to each other over time." McNee also offered some advice to organizations on steps they might take to secure themselves. "As APT15 attacks have historically come from malicious email attachments," he wrote, "we recommend that companies ensure email security software and appliances are fully patched, and that endpoints are secured using EDR, so that any possible attacks are quickly identified and mitigated." Speculation about the strategy behind APT15's activity is just that, but McNee thinks it reasonable to adopt the working hypothesis that it's rooted in Beijing's long-range economic planning. "While DomainTools does not have any specific information to indicate that Flea/APT15 is actively pursuing targets related to China’s Strategic Five Year Plan, their historic set of targets, however, including governments and non-governmental organizations, suggest they are aligned to this overall strategy. In fact, many experts believe these plans are not for show but act as a prioritized list of industries for China-affiliated threat actors to target. The goal here is to gather IP and competitive analysis to ensure China has the information it needs to successfully meet its Plan.”

Jess Parnell, VP of Security Operations at Centripetal, focused on the implications a tool like the Graphican backdoor has for defenders. “One reason APT groups like Vixen Panda may choose to stick with their existing tools is to maintain their operational infrastructure and avoid detection. By reusing familiar tools, they can leverage their knowledge of vulnerabilities and weaknesses, allowing them to conduct attacks more efficiently. Additionally, creating new tools from scratch entails significant time and effort, as they need to be tested, refined, and integrated into existing attack frameworks. By building upon established tools, APT groups can focus on evolving their techniques and evading detection." The key, Parnell argued, is a multi-layered defense. "Organizations must adopt a multi-layered approach to defend themselves against backdoors like Graphican. Keeping software and systems up to date with the latest security patches is essential. Many backdoors exploit known vulnerabilities, and by promptly applying patches, organizations can significantly reduce their attack surface. To truly stay ahead of advanced threats like Graphican, investing in intelligence-powered cybersecurity solutions are crucial. By leveraging augmented intelligence, enterprises can analyze vast amounts of data, identify patterns, and detect anomalous activities that may indicate the presence of sophisticated threats. By continuously learning from new attack techniques, intelligence-powered cybersecurity systems can provide real-time threat intelligence, enabling organizations to proactively defend against emerging threats.”)